Philosophy of Security
Process, not Product
We consult with clients around the world on Internet security processes. In some of these engagements our assignment is to implement high assurance of secure operations (we'll explain what that means below). The reality of life is that security cannot be purchased in a shrink-wrapped box, nor is it automatic because you use one platform or another. To obtain "security" requires an attitude and specific processes.
“...security cannot be purchased in a shrink-wrapped box...”
We effect security through a combination of pillars — well-selected technology, careful setup, defensive posture, adherence to assured practices, monitoring, audit, contingency plans, and continual note of risk.
Assurance Level
Web servers are plugged into a hostile Internet. Most servers that we administer are scanned several times a day for vulnerabilities. To just install an operating system, fire up the computer, and start copying web files over, does nothing but invite trouble.
“...raise the assurance level proactively so that hacking in becomes a serious chore...”
The key is to select a level of assurance appropriate for your organization (this might be thought of in the inverse, i.e. select the level of risk appropriate). With some effort, we can say we have “high assurance” of security. One cannot expect 100% — by the nature of computing it is categorically impossible for a networked computer to be impenetrable. But by selecting a level of assurance you narrow the risk gap. If you do nothing, you implicitly adopt a low assurance of security, greatly increasing your chances of being hacked. More prudently, raise the assurance level proactively so that hacking in becomes a serious chore for an attacker.
More
Services Based on Security
Consultation on Security
NeoReality consults on Internet security. In certain engagements we may agree to consult on general IT security for smaller organizations.
- Risk Analysis
- Security Policy
- Employee Education
- Organizational Processes
- Software
- Analysis
More
Configuration & Report on Initial Security Posture (a.k.a. "Lockdown")
One of the most popular NeoReality service offerings is a complete security lockdown of a new server, starting from before the server is even plugged into the Internet. We employ specific technologies and practices to harden the server against intrusion and to mitigate damage if intrusion occurs. We then set forth an ongoing plan which will keep the server safe, and we work with the client to make sure that we, they, or a third party (e.g. the hosting company) actually implements this plan on an ongoing basis. The key is that this plan is not just about the computer — it contains action items for humans as well. The users and managers must adhere to certain practices to ensure the security of the server. Naturally we generally are involved to help these people as they get started. After executing this process, we can then say we have “high assurance” of security.
Sample pages of a security report following a checklist engagement. |
|
 |
 |
This process is not limited to servers taking credit card numbers or holding medical records. Any server hosted on the Internet that is not behind a firewall can be a staging point for hackers to cause trouble (and sometimes even those behind a firewall). Consider a hacker who vandalizes the home page of your company web site or who begins sending pornographic emails to your customers. It may sound crazy, but these incidents and far worse have happened to real organizations.
More
Ongoing Monitoring
NeoReality actively monitors web servers around the world serving thousands of visitors daily. Our technicians monitor the automatic processes to ensure that security threats are neutralized according to plan.
Because our technicians become exposed to widespread security epidemics virtually as soon as they occur, they are in an excellent position to offer counsel to organizations having security problems. For example, when new viruses enter the wild our technicians routinely help to disinfect other organizations based on experience in encountering the same virus over and over again.
Our Monitoring vs. Hosting Company
"Managed Hosting" has accelerated as a service niche in the web community in recent years. This entails hosting dedicated web servers for customers but providing more intensive customer service than traditional hosting companies who simply flip the switch and let you have at it.
Virtually all of the dedicated web servers that we administer on behalf of clients reside at Managed Hosting companies. We believe strongly in their business model and the benefits they provide. We would like to make a distinction, however, that we feel is not clearly made for customers seeking overall hosting/technical services. The more involved nature of these companies' service offerings certainly lends a great deal to the overall assurance of success, but these firms still stop short of becoming intimately familiar with every element of your web site, your technical requirements, your day-to-day activities, and even the programs running on your web server. Their view of your system is still "as a box" from the outside. NeoReality spans the gap between this company and your company, providing expert administration, development, and support services. Some overlap exists; for instance, the host will upgrade your web server software to the new version, just as we will. But chances are, they can only speak on the general benefits of the new version while we know why or why not your applications will be affected by the new version. That's because it's our business to help you with your web applications.
More
Intrusion Response
At some point, organizations with Internet servers may suffer a compromise. In fact, given a long enough period of time, one might argue it to be a probabilistic certainty. NeoReality offers consultation and response services in the event of such a problem. We can assist managers in confirming evidence of an intrusion, assessing the type of intrusion, the damage done, and the risk levels in maintaining the compromised server. We can provide an action plan for immediate transfer and activation of a secondary server with audited methods to copy data from the old server so as to remain sure of no compromise on the new server.
Suspicion of compromise should be verified immediately. If you manage a server that you suspect has been hacked, please call professionals immediately for assistance. In some cases on standard operating systems we can confirm intrusion in three minutes or less. Do not delay on account of having no precious data on your server — a compromised server can expose a company to liability regardless. It can become an illegal trading point for files, a mail gateway for spam, a launch point for Denial of Service attacks, or even a traceable hop in a hack attack against government networks. We recommend that possible compromises be analyzed immediately.